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PATENT 

IN THE UNITED STATES PATENT AND TRADEMARK OFFICE 

International Patent Application 
No. PCT/EP00/07124 

PCT/DO/EO/US 

International Filing Date: 25 July 2000 
Applicant: Albert MODL et al. 

Attorney Docket: MODL3004/JEK 
For: METHOD, DEVICE AND SYSTEM FOR BIOMETRIC AUTHENTICATION 



PRELIMINARY AMENDMENT 



Commissioner for Patents 
Washington, D.C. 20231 

Sir: 

This paper accompanies documents submitted to establish the U.S. national 
stage of the above-identified international patent application. 

The international patent application was amended under PCT Article 34 and the 
claims as-amended are annexed to the International Preliminary Examination Report 
(IPER). 

Before calculation of the filing fee and before examination, kindly amend the 
application documents as follows: 



IN THE CLAIMS : 

Please amend the claims as annexed to the IPER as shown on the appended 
APPENDIX OF CLAIMS, which includes amended and non-amended claims. Also 
appended hereto an APPENDIX OF MARKED UP CLAIMS showing the changes which 
have been made. 



IN THE SPECIFICATION: 

In the original specification as-filed, on page 2, change the first partial paragraph 
on this page to read: 
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International Application No. PCT/E POO/07 124 
Attorney Docket: MODL3004/JEK 

--data with a person's newly detected biometric data yields a match higher than 
said (second) threshold value. If the error message is issued it may also be provided 
that further operation is automatically disabled. - 

A marked up version of the amended page 2 of the specification is appended 
hereto. 

In the ANNEX pages submitted as AMENDED SHEETS 1 and 1a, correct the 
number appearing at the top of the second page to read --1 a-. 

A marked up version of the second page of the amended sheet of specification 
is appended hereto. 

REMARKS 

All rights are reserved to the original claimed subject matter. The claims have 
been amended to reduce the filing fees and to restate the inventive subject matter in 
clear terms. None of the amendments are intended to narrow any element of the 
claims as they stood prior to amendment. Examination of the application as amended 
is respectfully requested. 

Respectfully submitted, 




Customer 23364 625 Slaters Lane - 4 th Floor 



Alexandria, VA 22314-1176 
Telephone: (703) 683-0500 
Facsimile: (703) 683-1080 

Date: January 30, 2002 
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APPENDIX OF CLAIMS 

1. A method for protecting biometric authentication from replay attacks 
wherein comparison is performed for a match between a person's biometric data 
stored as reference data and the person's redetected biometric data and 
authentication is effected if the match is equal to or greater than a predetermined 
first threshold value, characterized in that authentication is refused if the comparison 
yields a match of the redetected biometric data with the stored reference data which 
is equal to or greater than a predetermined second threshold value. 

2. A method according to claim 1 , characterized in that the second threshold 
value is defined as a 100% match. 

3(Amended). A method according to claim 1, characterized in that the 
biometric data detected in different authentication processes are collected and 
stored as data records and authentication is refused if the redetected biometric data 
of a current authentication process have a match higher than the predetermined 
second threshold value in comparison to one of the stored data records. 

4(Amended). A method according to claim 1 , characterized in that the second 
threshold value is defined as an at least 99% data match. 

5(Amended). A method according to claim 1, characterized in that the 
reference data and optionally the data records are stored on v a data carrier, in 
particular a smart card. 

6(Amended). A method according to claim 1, characterized in that the 
reference data and optionally the data records are stored in an authentication 
apparatus, in particular a smart card terminal. 



1 



International Application No. PCT/E POO/0 1724 
Attorney Docket: MODL3004/JEK 

7(Amended). A method according to claim 1, characterized in that a hash 
value is formed from the redetected biometric data, and the stored reference data 
are a hash value. 

8. An apparatus for biometric authentication comprising a first memory area 
with biometric data as reference data and a comparison circuit which generates a 
message permitting authentication when a comparison of the reference data with a 
person's newly detected biometric data yields a match which is equal to or greater 
than a given first threshold value, characterized in that the comparison circuit 
generates a message refusing authentication if a comparison of the reference data 
with a person's newly detected biometric data yields a match which is equal to or 
greater than a given second threshold value. 

9. An apparatus according to claim 8, characterized in that the apparatus is 
a data carrier, in particular a smart card. 

10(Amended). An apparatus according to claim 8, characterized in that the 
threshold value is set at 100%. 

1 1 (Amended). An apparatus according to claim 8, characterized by further 
memory areas in which several data records of redetected biometric data are stored. 

12. An apparatus according to claim 11, characterized in that the further 
memory areas form a stack. 

13. An apparatus according to claim 11, characterized in that the further 
memory areas form a shift register. 

14(Amended). An apparatus according to claim 8, characterized in that the 
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threshold value is set at a value = 99%. 

15(Amended). An apparatus according to claim 8, characterized in that the 
apparatus is automatically disabled if the message is present. 

16(Amended). An apparatus according to claim 8, characterized in that the 
apparatus issues an error message if the message is present. 

17(Amended). An apparatus according to claim 8, characterized in that a 
hash value derived from biometric data is stored as reference data in the first 
memory area, and the comparison circuit forms a hash value from the newly 
detected biometric data for comparison with the stored reference data. 

18(Amended). An apparatus according to claim 8, characterized in that the 
apparatus has a device for detecting a persons biometric data. 
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APPENDIX OF MARKED UP VERSION OF CLAIMS 

3(Amended). A method according to [either of claims 1 and 2] claim 1, 
characterized in that the biometric data detected in different authentication processes 
are collected and stored as data records and authentication is refused if the 
redetected biometric data of a current authentication process have a match higher 
than the predetermined second threshold value in comparison to one of the stored 
data records. 

4(Amended). A method according to [any of claims 1 to 3] claim 1 , 
characterized in that the second threshold value is defined as an at least 99% data 
match. 

5(Amended). A method according to [any of claims 1 to 4] claim 1 , 
characterized in that the reference data and optionally the data records are stored 
on a data carrier, in particular a smart card. 

6(Amended). A method according to [any of claims 1 to 4] claim 1 , 
characterized in that the reference data and optionally the data records are stored 
in an authentication apparatus, in particular a smart card terminal. 

7(Amended). A method according to [any of claims 1 to 6] claim 1 , 
characterized in that a hash value is formed from the redetected biometric data, and 
the stored reference data are a hash value. 

10(Amended). An apparatus according to claim 8 [or 9], characterized in that 
the threshold value is set at 100%. 
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11 (Amended). An apparatus according to [any of claims 8 to 10] claim 8, 
characterized by further memory areas in which several data records of redetected 
biometric data are stored. 

14(Amended). An apparatus according to [any of claims 8 to 13] claim 8, 
characterized in that the threshold value is set at a value = 99%. 

15(Amended). An apparatus according to [any of claims 8 to 14] claim 8 , 
characterized in that the apparatus is automatically disabled if the message is 
present. 

16(Amended). An apparatus according to [any of claims 8 to 15] claim 8, 
characterized in that the apparatus issues an error message if the message is 
present. 

17(Amended). An apparatus according to [any of claims 8 to 16] claim 8 , 
characterized in that a hash value derived from biometric data is stored as reference 
data in the first memory area, and the comparison circuit forms a hash value from 
the newly detected biometric data for comparison with the stored reference data. 

18(Amended). An apparatus according to [any of claims 8 to 17] claim 8, 
characterized in that the apparatus has a device for detecting a person's biometric 
data. 
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^message and for example issues an error message when a comparison of the refere nce^ 
data with a person's newly detected biometric data yields a match higher than said 
(second) threshold value. If the error message is issued it may also be provided that 
further operation is automatically disabled. 

An example to be mentioned is the comparison of two signatures by one and the 
same person. Said signatures may be congruent when viewed visually, but they can 
never be brought in congruence pixel by pixel at a resolution of 500 dpi for example. If 
the dynamic components of the signature are taken into consideration there are further 
degrees of freedom and natural deviations. 

This (second) threshold value of 99% or 100% relevant for the invention is stored 
together with the reference data either in a terminal or on a separate data carrier, in 
particular a smart card. 

In a preferred embodiment of the invention it is provided that the detected 
biometric data which led to an authentication, and optionally also those detected 
biometric data which did not lead to authentication because they were below the first 
threshold value, are collected and stored as data records. Said data records are 
preferably stored in a stack or shift register. In each authentication process it is then 
checked whether the biometric data of the presented biometric feature are identical 
with one of the stored data records or optionally have more than a 99% match. Then a 
replay attack can be assumed and authentication is refused by the authentication 
system. 

In a further advantageous embodiment of the invention, hash values are stored 
instead of, or in addition to, the biometric comparative data records last received by the 
smart card. A hash function is applied to the comparative data record to generate a 
relatively short hash value. Hash functions are known in the art, a hash function being 
a unique, reductive mapping onto a fixed-length word. The hash function is executed 
in several rounds on a block-by-block partition of the raw data. The result depends on 
the total input. Calculation of the raw data from the hash value is not possible. It is 
difficult in terms of complexity theory to alter the input data selectively in such a way 
that the hash value remains the same. 
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refused according to the invention. A comparison circuit is provided which generates a 
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Method and apparatus for biometric authentication 

This invention relates to a method and to an apparatus for biometric 
authentication, in particular for protecting biometric authentication from replay attacks. 

An authentication method is used when a person desires access to protected 
facilities. For example, authentication is regularly effected by means of a PIN 
comparison when a card user introduces a smart card - for example a credit card - into 
a bank machine (terminal) or when a person desires admission to protected-access 
premises. A stored PIN is checked for identity with the PIN entered by the card user or 
the person desiring admission. 

In the case of a biometric authentication method, a biometric feature of the 
person is used as an identification feature instead of a PIN. The biometric feature can 
be a fingerprint, for example, but shall also include a personal signature within the 
scope of the present invention. A disadvantage of such authentication methods is that 
an attack on authentication is possible if the biometric data which were stored as 
reference data or which led to an authentication are intercepted by unauthorized third 
parties to be used again later for unauthorized authentication. This type of attack is 
referred to as a replay attack. WO 98/1 1750 A2 discloses a method for preventing 
replay attacks wherein the encrypted digital data of fingerprints are stored. If identical 
data are entered at a later time, authentication is refused. 

The problem of the present invention is therefore to provide a method and 
apparatus for biometric authentication methods with better protection from replay 
attacks. 

This problem is solved according to the invention by the features of the 
independent claims. Subclaims state advantageous embodiments of the invention. 

The invention exploits the fact that biometric features normally have in common 
that they are not 100% reproducible, unlike the PIN, so that authorization is already 
effected if the match of the biometric feature presented by the person with the stored 
reference data exceeds a predetermined threshold value. It is now provided according 
to the invention that the match must not be above a (second) predetermined threshold 
value, in particular must not be 100% and preferably no more than 99%. In the case of 
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message and for example issues an error message when a comparison of the reference 
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1 . A method for protecting biometric authentication from replay attacks wherein 
comparison is performed for a match between a person's biometric data stored as 
reference data and the person's redetected biometric data and authentication is effected 
if the match is equal to or greater than a predetermined first threshold value, 
characterized in that authentication is refused if the comparison yields a match of the 
redetected biometric data with the stored reference data which is equal to or greater 
than a predetermined second threshold value. 

2. A method according to claim 1, characterized in that the second threshold 
value is defined as a 100% match. 

3. A method according to either of claims 1 and 2, characterized in that the 
biometric data detected in different authentication processes are collected and stored as 
data records and authentication is refused if the redetected biometric data of a current 
authentication process have a match higher than the predetermined second threshold 
value in comparison to one of the stored data records. 

4. A method according to any of claims 1 to 3, characterized in that the second 
threshold value is defined as an at least 99% data match. 

5. A method according to any of claims 1 to 4, characterized in that the reference 
data and optionally the data records are stored on a data carrier, in particular a smart 
card. 

6. A method according to any of claims 1 to 4, characterized in that the reference 
data and optionally the data records are stored in an authentication apparatus, in 
particular a smart card terminal. 

7. A method according to any of claims 1 to 6, characterized in that a hash value 
is formed from the redetected biometric data, and the stored reference data are a hash 
value. 

8. An apparatus for biometric authentication comprising a first memory area with 
biometric data as reference data and a comparison circuit which generates a message 
permitting authentication when a comparison of the reference data with a person's 
newly detected biometric data yields a match which is equal to or greater than a given 
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first threshold value, characterized in that the comparison circuit generates a message 
refusing authentication if a comparison of the reference data with a person's newly 
detected biometric data yields a match which is equal to or greater than a given second 
threshold value. 

9. An apparatus according to claim 8, characterized in that the apparatus is a data 
carrier, in particular a smart card. 

10. An apparatus according to claim 8 or 9, characterized in that the threshold 
value is set at 100%. 

1 1 . An apparatus according to any of claims 8 to 10, characterized by further 
memory areas in which several data records of redetected biometric data are stored. 

12. An apparatus according to claim 11, characterized in that the further memory 
areas form a stack. 

1 3 . An apparatus according to claim 1 1 , characterized in that the further memory 
areas form a shift register. 

14. An apparatus according to any of claims 8 to 13, characterized in that the 
threshold value is set at a value = 99%. 

15. An apparatus according to any of claims 8 to 14, characterized in that the 
apparatus is automatically disabled if the message is present. 

16. An apparatus according to any of claims 8 to 15, characterized in that the 
apparatus issues an error message if the message is present. 

17. An apparatus according to any of claims 8 to 16, characterized in that a hash 
value derived from biometric data is stored as reference data in the first memory area, 
and the comparison circuit forms a hash value from the newly detected biometric data 
for comparison with the stored reference data. 

18. An apparatus according to any of claims 8 to 17, characterized in that the 
apparatus has a device for detecting a person's biometric data. 
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This invention relates to a method and to an apparatus and system for biometric 
authentication, in particular for protecting biometric authentication from replay attacks. 

An authentication method is used when a person desires access to protected 
facilities. For example, authentication is regularly effected by means of a PIN 
comparison when a card user introduces a smart card - for example a credit card - into 
a bank machine (terminal) or when a person desires admission to protected-access 
premises. A stored PIN is checked for identity with the PIN entered by the card user or 
the person desiring admission. 

In the case of a biometric authentication method, a biometric feature of the 
person is used as an identification feature instead of a PIN. The biometric feature can 
be a fingerprint, for example, but shall also include a personal signature within the 
scope of the present invention. A disadvantage of such authentication methods is that 
an attack on authentication is possible if the biometric data which were stored as 
reference data or which led to an authentication are intercepted by unauthorized third 
parties to be used again later for unauthorized authentication. This type of attack is 
referred to as a replay attack. 

The problem of the present invention is therefore to protect biometric 
authentication methods from replay attacks. 

This problem is solved according to the invention by the features of the 
independent claims. Subclaims state advantageous embodiments of the invention. 

The invention exploits the fact that biometric features normally have in common 
that they are not 100% reproducible, unlike the PIN, so that authorization is already 
effected if the match of the biometric feature presented by the person with the stored 
reference data exceeds a predetermined threshold value. It is now provided according 
to the invention that the match must not be above a (second) predetermined threshold 
value, in particular must not be 100% and preferably no more than 99%. In the case of 
such a great match a replay attack can be assumed, and authentication is therefore 
refused according to the invention. A comparison circuit is provided which generates a 
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message and for example issues an error message when a comparison of the reference 
data with a person's newly detected biometric data yields a match higher than said 
(second) threshold value. If the error message is issued it may also be provided that 
further operation is automatically disabled. 

An example to be mentioned is the comparison of two signatures by one and the 
same person. Said signatures may be congruent when viewed visually, but they can 
never be brought in congruence pixel by pixel at a resolution of 500 dpi for example. If 
the dynamic components of the signature are taken into consideration there are further 
degrees of freedom and natural deviations. 

This (second) threshold value of 99% or 100% relevant for the invention is stored 
together with the reference data either in a terminal or on a separate data carrier, in 
particular a smart card. 

In a preferred embodiment of the invention it is provided that the detected 
biometric data which led to an authentication, and optionally also those detected 
biometric data which did not lead to authentication because they were below the first 
threshold value, are collected and stored as data records. Said data records are 
preferably stored in a stack or shift register. In each authentication process it is then 
checked whether the biometric data of the presented biometric feature are identical 
with one of the stored data records or optionally have more than a 99% match. Then a 
replay attack can be assumed and authentication is refused by the authentication 
system. 

In a further advantageous embodiment of the invention, hash values are stored 
instead of, or in addition to, the biometric comparative data records last received by the 
smart card. A hash function is applied to the comparative data record to generate a 
relatively short hash value. Hash functions are known in the art, a hash function being 
a unique, reductive mapping onto a fixed-length word. The hash function is executed 
in several rounds on a block-by-block partition of the raw data. The result depends on 
the total input. Calculation of the raw data from the hash value is not possible. It is 
difficult in terms of complexity theory to alter the input data selectively in such a way 
that the hash value remains the same. 



If features are presented a further time and biometric data calculated therefrom 
are brought into the card, the hash value is recalculated. The likelihood of two 
biometric data records generating the same hash value is low, so that a replay attack 
must be assumed in case of a match. The use of hash values permits considerable 
savings of memory space and processing time in realization of the invention. It is easy 
to store several fixed-length hash values in a kind of shift register here since a hash 
value usually requires only a few bytes of memory space. 



Claims 



1 . A method for protecting biometric authentication from replay attacks wherein 
comparison is performed for a match between a person's biometric data stored as 
reference data and the person's redetected biometric data and authentication is effected 
on the basis of said comparison, characterized in that authentication is refused if the 
comparison yields a match of the redetected biometric data with the stored reference 
data which is equal to or greater than a predetermined threshold value. 

2. A method according to claim 1, characterized in that the threshold value is 
defined as a 1 00% match. 

3. A method according to either of claims 1 and 2, characterized in that the 
biometric data detected in different authentication processes are collected and stored as 
data records and authentication is refused if the redetected biometric data of a current 
authentication process have a match higher than the predetermined threshold value in 
comparison to one of the stored data records. 

4. A method according to any of claims 1 to 3, characterized in that the threshold 
value is defined as an at least 99% data match. 

5. A method according to any of claims 1 to 4, characterized in that the reference 
data and optionally the data records are stored on a data carrier, in particular a smart 
card. 

6. A method according to any of claims 1 to 4, characterized in that the reference 
data and optionally the data records are stored in an authentication apparatus, in 
particular a smart card terminal. 

7. A method according to any of claims 1 to 6, characterized in that a hash value 
is formed from the redetected biometric data, and the stored reference data are a hash 
value. 

8. An apparatus for biometric authentication comprising a first memory area with 
biometric data as reference data and a comparison circuit which generates a message 
when a comparison of the reference data with a person's newly detected biometric data 
yields a match which is equal to or greater than a given threshold value. 




9. An apparatus according to claim 8, characterized in that the apparatus is a data 
carrier, in particular a smart card. 

10. An apparatus according to claim 8 or 9, characterized in that the threshold 
value is set at 100%. 

1 1 . An apparatus according to any of claims 8 to 10, characterized by further 
memory areas in which several data records of redetected biometric data are stored. 

12. An apparatus according to claim 11, characterized in that the further memory 
areas form a stack. 

13. An apparatus according to claim 11, characterized in that the further memory 
areas form a shift register. 

14. An apparatus according to any of claims 8 to 13, characterized in that the 
threshold value is set at a value = 99%. 

15. An apparatus according to any of claims 8 to 14, characterized in that the 
apparatus is automatically disabled if the message is present. 

16. An apparatus according to any of claims 8 to 15, characterized in that the 
apparatus issues an error message if the message is present. 

17. An apparatus according to any of claims 8 to 16, characterized in that a hash 
value derived from biometric data is stored as reference data in the first memory area, 
and the comparison circuit forms a hash value from the newly detected biometric data 
for comparison with the stored reference data. 

18. A system for biometric authentication comprising an apparatus according to 
any of claims 8 to 17 and a device for detecting a person's biometric data. 



Abstract 



A method, apparatus and system for biometric authentication are proposed which 
are protected from replay attacks. In biometric authentication, a biometric feature 
presented by a person, for example a fingerprint or the personal signature, is presented 
and compared with previously stored reference data. In order to prevent the biometric 
data from being intercepted and used again for unauthorized authentication, the 
invention provides that authentication is refused in case of a 100% match or only 99% 
match of the data of the presented biometric feature with the stored reference data. 
This is because biometric features normally have the property that they cannot be 
detected in 100% reproducible fashion so that in such cases a replay attack can be 
assumed. In one embodiment of the invention, the presented biometric features are 
collected and stored and taken into account in subsequent authentication methods in 
the check for replay attacks. 
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